Lucene search

Gentoo FoundationMGASA-2023-0350

HistoryDec 19, 2023 - 1:41 a.m.

Updated cjose packages fix a security vulnerability

2023-12-1901:41:39

Gentoo Foundation

advisories.mageia.org

updated packages

security vulnerability

aes gcm decryption

authentication tag

jwe

bug

attacker

truncated

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

AI Score

7.2

Confidence

Low

EPSS

0.003

Percentile

65.9%

JSON

The updated packages fix a security vulnerability: The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. (CVE-2023-37464)

OSVersionArchitecturePackageVersionFilename
Mageia8noarchcjose< 0.6.1-1.1cjose-0.6.1-1.1.mga8
Mageia9noarchcjose< 0.6.1-3.1cjose-0.6.1-3.1.mga9

OS	Version	Architecture	Package	Version	Filename
Mageia	8	noarch	cjose	< 0.6.1-1.1	cjose-0.6.1-1.1.mga8
Mageia	9	noarch	cjose	< 0.6.1-3.1	cjose-0.6.1-3.1.mga9

References

bugs.mageia.org/show_bug.cgi?id=32274

lists.fedoraproject.org/archives/list/[email protected]/message/DFWAPMYYVBO2U65HPYDTBEKNSXG4TP5C/

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

AI Score

7.2

Confidence

Low

EPSS

0.003

Percentile

65.9%

JSON

Related for MGASA-2023-0350